Portable WAPT Hacme Travel Setup

In this post, the last of setting up the Hacme Applications, Hacme Travel will be setup. Again its assumed Hacme Travel is setup on same XP system that the other Hacme Applications are setup on.

First download Hacme Travel:

Hacme Travel – http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmetravel.aspx

There are no other prerequisites, but the SQL authentication mode must be changed to mix mode. The following article details the steps to accomplish this:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q322336

Open the Registry using regedit and browse to HKLM\Software\Microsoft\MSSqlserver\MSSqlserver\LoginMode. If the value of the key is set to 1 SQL is using Windows authentication. Change the value to 2. Close regedit and restart the SQL server.

With SQL prepared, next extract Hacme Travel and double click the install file. Accept the defaults, including integration with Hacme Bank. For the database setup select trusted connection, and when asked enter in an Administrator account and password for user management.

After setup is complete start Hacme Travel by clicking on Start, All Programs, Foundstone Free Tools, Hacme Trave 1.0, Start Foundstone Hacme Travel Server.bat. Once started you must use the Hacme Travel Agent client to connect. The Hacme Travel Agent is a windows executable that could potentially be ran from a remote system.

With the last of the Hacme applications setup there a couple of “house cleaning” items to perform to make the lab a bit easier to use.  In the next post I will cover these items. 

Portable WAPT Hacme Books Setup

In this post we will install Hacme Books on the same VM that all of the other Hacme Applications are installed on. Hacme Books is probably the second easiest of the Hacme series to install.

First download Hacme Books and the prerequeistes required for installation.

Hacme Books

Java Development Kit 

Once all software is downloaded, begin by installing the Java Development Kit (JDK). I am going to install a JDK that is a few versions behind, in this case Java 6 update 27 (which was randomly picked). Double click on the Java install executable. Accept the defaults and Java will install.

Next, extract Hacme Books and browse to the install file and double click. Accept the defaults and Hacme Books will be installed.

To test successful installation, click on Start, All Programs, Foundstone Free Tools, Hacme Books 2.0, Hacme Books Server START. In a web browser, browse to this URL:

http://localhost:8989/HacmeBooks/mainMenu.html

If you see the Hacme Books 2.0 web site you have successfully installed Hacme Books.

Next, to ensure that Hacme Books always starts copy the Hacme Books Server START script from above and place in the startup folder. Browse to:

C:\Program Files\Foundstone Free Tools\Hacme Books 2.0\tomcat\bin\

Right click startup.bat and create a short cut. Move this short cut to:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Reboot the system and the Hacme Books should start automatically now.

The last step is to make Hacme Books accessible over the network. Browse to:

C:\Program Files\Foundstone Free Tools\Hacme Books 2.0\tomcat\conf

Open server.xml with a text editor. Go to the line that says:

Connector port="8989" address="127.0.0.1" maxThreads="150" minSpareThreads="25"

               maxSpareThreads="75" enableLookups="false" redirectPort="8443" acceptCount="100"

               debug="0" connectionTimeout="20000"

               disableUploadTimeout="true"

Change the address to “0.0.0.0”. Restart Hacme Books via the start menu. From your Samurai WTF browse to:

http://172.16.254.201:8989/HacmeBooks/mainMenu.html

Hacme Books is now accessible from the network and will start automatically. In the next post I will describe setting up Hacme Travel.

Portable WAPT Hacme Shipping Setup

In the previous post Hacme Casino was installed, in this post Hacme Shipping will be setup. This post will assume you are using the same XP machine that have Hacme Bank and Hacme Casino installed.

To begin with Hacme Shipping and the following perquisites must be downloaded.

Hacme Shipping 

.Net Framework 4.0 

.Net Framework 2.0

MySQL 5.5.27  

Adobe ColdFusion MX Server 8.0 Developer Edition - 

While setting up Hacme Shipping, this blog post from pingtrip.com was very helpful.

With prerequisites downloaded, begin by installing .Net Framework 2.0 and double click on NetFX20SP2_x86. Let the framework install.

Next, browse to .Net Framework 4.0. and double click dontNetFx40_Full_setup.exe file to start the install .Net Framework. Accept the defaults and let .Net install, when the installation completes reboot the system.

Now browse to the MySQL download and double click on the MySQL installer. Select the defaults, when choosing a setup type, select custom. Under applications uncheck, MySQL for Excel 1.0.7. Under MySQL connections ONLY check Connector/NET 6.5.4 then continue the install. MySQL will install MS Visual C++ 2010, accept the defaults and continue the MySQL install. You will be asked for to enter a root password, I entered password (it’s a training application) by selecting the defaults.

Next, extract Hacme Shipping. After extraction double click on the Hacme Installer file. Select the defaults, when prompted for a the database setup enter in the MySQL root password set earlier. If asked for mysql.exe location browser to the following:

C:\Program Files\MySQL\MySQL Server 5.5\bin\mysql.exe

Click set location, and complete the install of Hacme Shipping.

To complete Hacme shipping we must install Cold Fusion. Browse to the Cold Fusion download and double click the exe (which will change based on the version used), in this case version 10. Select the defaults, when asked for a serial number, select developer edition. Set the admin password for remote start/stop administration, again I selected password, and continue selecting defaults. You will be askined for the administrator password, and I set it to password. Continue with defaults and install Cold Fusion.

When Cold Fusion installation is complete you will be taken to the Cold Fusion Admin page. Enter in the password set earlier. It will take several minutes for the initial configuration to complete. When it does click the Ok button.

Next, the Hacme Shipping database needs to be added. Login into the management interface and click on Data Sources. Enter in the following information:

            Data Source Name: hacmeshipping

            Driver: MySQL (4/5)

Click add. To configure the database connection enter in the following information:

            Database: hacmeshipping

            Server: 127.0.0.1

            Username: root

            Password: password

Click submit to configure the connection. With MySQL and Cold Fusion configure, click on the Hacme Shipping link to verify everything is working.

The Hacme XP system now has three vulnerable applications installed for web application testing. In the next blog post I will cover installing Hacme Books.

Portable WAPT Hacme Casino Setup

In previous post we setup Hacme Bank for a portable web app pen testing lab. This post is going to focus on setting up Hacme Casino. Hacme Casino is written in Ruby on Rails and has several well known web application vulnerabilities.

This post assumes Hacme Casino will be set up on the same Windows XP SP3 system that was setup with Hacme Bank as described in this blog post.

Download Hacme Casino from the Foundstone website.

Hacme Casino has no other prerequisites, begin by browsing to were the application was downloaded to. Extract the contents, and then browse to the folder where the files were extracted. Double click on the HacmeCasinoSetup.exe. Select the defaults and finish.

The install for Hacme Casino is the simplest of the Hacme applications. To test start by clicking the Start button, All Programs, Foundstone Free Tools, Hacme Casino 1.0, Hacme Server START. This will start Hacme Casino.

Open up a web browser and enter in the following URL:

http://localhost:3000

If you see a login page, Hacme Casino is successfully installed. To verify remote access, if using the IP address’s described in earlier posts, enter in the URL:

http://172.16.254.201:3000

You should see the same page as before.

Unlike Hacme Bank, Hacme Casino will not automatically start. To ensure that Hacme Casino will start every time the system is rebooted the easiest way is to add the startup script to the Windows startup. Browse to C:\Program Files\Foundstone Free Tools\Hacme Casino v1.0. Create a shortcut for Hacme Casino, then copy into the c:\Document and Settings\All Users\Start Menu\Programs\Startup.  When the system is rebooted, Hacme Casino will automatically start.

With Hacme Casino and Hacme Bank setup, the next blog post will be about setting up Hacme Shipping.

Portable WAPT Hacme Bank Setup

In the last post we setup Samurai WTF and OWASP Broken Web Application (OBWA) VM’s. In this post we will set up the Hacme VM with the Hacme Bank applications.

The Hacme applications is a set of purposely written insecure web applications from Foundstone. There is a whole collection of applications including Hacme Bank, Hacme Books, Hacme Casino, Hacme Travel and Hacme Shipping. The nice thing about the Hacme Series is they are written using various technologies.

To begin with first we must install the OS and the following requirements for the Hacme Software:

·         Windows XP SP3

·         IIS

·        .NET Framework v1.1

·        SQL 2000 MSDE

First build a VM for Windows. The challenge with this system will be given it sufficient memory and storage. For my lab I am going to give it 2 GB of memory and 50 GB of storage. Once the VM is built install the Windows OS.

Once the OS is installed patch the OS. After patching began downloading all of the software and their requirements.

Download the following software:

Hacme Bank 

.NET v1.1 

SQL 2000  

Hacme Bank Installation

First we must install SQL 2000, IIS, and .Net v1.1 Framework. These instructions are in the Hacme Bank User Guide.

Browse to where SQL 2000 MSDE was saved and double click on MSDE200A.exe. Accept the defaults and the SQL 2000 installation files will be downloaded. In a command prompt, change to the directory where the install files were downloaded to, if you chose the defaults the directory will be MSDERe1A. Type in the following commands to install MS SQL 2000:

c:\MSDERelA\Setup SAPWD=password SECURITYMODE=MIXED DISABLENETWORKPROTOCOLS=0

This will install SQL with the SA password of password, using mixed mode authentication and allow the SQL server to be accessible over the network.

After SQL installation is complete next install IIS through the Control Panel. Browse to Add/Remove Programs, Add/Remove Windows components. Check the box next to IIS and click next. Click Finish after installation is complete.

Next, browse to where .Net Framework was downloaded and double click on the file dotnetfx.exe. Select the defaults and let .Net Framework install. Once installation is complete run the following command from a command prompt:

c:\windows\microsoft.net\framework\v1.1.4322\aspnet_regiis -i 

This insures that .Net Framework v1.1 and IIS are configured properly. Reboot the system to ensure all services are started

Browser to where Hacme Bank was downloaded to and extract the Hacme bank file. Double click Foundstone Hacme Bank Web Service Setup to begin the installation. Click through the welcome page, read and accept the license agreement, click through the rest of the defaults until the database setup. Change the authentication type to Trusted Connection and finish the install.

Next double click Foundstone Hacme Bank Web Site. Select the defaults and install the web site.  Double click on the Hacme Bank Web Site icon, enter in the username jv and password jv789. If a welcome message appears, Hacme Bank has been successfully setup.

The final step is setting up remote connections. Browser to C:\Inetpub\wwwroot\HacmeBank_v2_Website and open Web.config file.

Comment out the following line:

add name ="HttpModule_onlyAllowLocalAccess" type="HacmeBank_v2_Website.httpModules.HttpModule_onlyAllowLocalAccess,HacmeBank_v2_Website"

After setting up Hacme Bank, I have decided to break up the installation of Hacme applications over a series of posts. In the next post I will cover Hacme Casino.